esphome@2024.2.1 vulnerabilities

Make creating custom firmwares for ESP32/ESP8266 super easy.

latest version

2024.4.2
latest non vulnerable version

2024.5.0b3
first published

5 years ago
latest version published

11 days ago
licenses detected
- MIT
  [0,)
View esphome package health on Snyk Advisor Open this link in a new tab

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the esphome package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
H Cross-Site Request Forgery (CSRF) esphome is a Make creating custom firmwares for ESP32/ESP8266 super easy. Affected versions of this package are vulnerable to Cross-Site Request Forgery (CSRF) due to insufficient protection for API endpoints in the dashboard component. An attacker can perform operations on configuration files (create, edit, delete) on behalf of a logged user by directing them to visit a maliciously crafted web page. This effectively bypasses authentication for API calls. The vulnerability can be further exploited in conjunction with another issue to achieve complete account takeover. How to fix Cross-Site Request Forgery (CSRF)? Upgrade `esphome` to version 2024.3.0 or higher.	[2023.12.9,2024.3.0)
M Cross-site Scripting (XSS) esphome is a Make creating custom firmwares for ESP32/ESP8266 super easy. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the edit configuration file API in the dashboard component. An attacker can inject arbitrary web script and exfiltrate session cookies by sending a specially crafted POST request to the `/edit` endpoint with a malicious JavaScript payload in the configuration parameter. Note: Cookies are not correctly secured, allowing the exfiltration of session cookie values. How to fix Cross-site Scripting (XSS)? Upgrade `esphome` to version 2024.2.2 or higher.	[2023.12.9,2024.2.2)

Cross-Site Request Forgery (CSRF)

esphome is a Make creating custom firmwares for ESP32/ESP8266 super easy.

Affected versions of this package are vulnerable to Cross-Site Request Forgery (CSRF) due to insufficient protection for API endpoints in the dashboard component. An attacker can perform operations on configuration files (create, edit, delete) on behalf of a logged user by directing them to visit a maliciously crafted web page. This effectively bypasses authentication for API calls. The vulnerability can be further exploited in conjunction with another issue to achieve complete account takeover.

How to fix Cross-Site Request Forgery (CSRF)?

Upgrade esphome to version 2024.3.0 or higher.

[2023.12.9,2024.3.0)

Cross-site Scripting (XSS)

esphome is a Make creating custom firmwares for ESP32/ESP8266 super easy.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the edit configuration file API in the dashboard component. An attacker can inject arbitrary web script and exfiltrate session cookies by sending a specially crafted POST request to the /edit endpoint with a malicious JavaScript payload in the configuration parameter.

Note: Cookies are not correctly secured, allowing the exfiltration of session cookie values.

How to fix Cross-site Scripting (XSS)?

Upgrade esphome to version 2024.2.2 or higher.

[2023.12.9,2024.2.2)

Go back to all versions of this package

esphome@2024.2.1 vulnerabilities

Make creating custom firmwares for ESP32/ESP8266 super easy.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities